Sentry Firewall CD(tm) -- [www.SentryFirewall.com] Obsid@Sentry.net http://www.SentryFirewall.com/files/README This README is designed to give you a short introduction to the Sentry Firewall CDROM v1.x and basic instructions on how to get started configuring this CD-ROM based system. More information and updates regarding this product can be found on the project website, http://www.SentryFirewall.com/. I recommend reading this file completely to get an idea of how this distribution works. Please also refer to the Sentry Firewall CD Howto (http://www.SentryFirewall.com/files/HOWTO/) for help getting started using this system. Also please see the following files for important documentation, copyright, and disclaimer information - On the CDROM: - /SENTRY/docs/COPYRIGHT - /SENTRY/docs/HOWTO/sentry-firewall-cd-howto.html - /SENTRY/docs/reference/sentry-firewall-cd-documentation.html Online: http://www.SentryFirewall.com/files/COPYRIGHT http://www.SentryFirewall.com/files/HOWTO/ http://www.SentryFirewall.com/files/reference/ ##=========================================================================================## ## INTRODUCTION The Sentry Firewall CD-ROM is designed to be an easy to manage and configure CDROM based Linux operating system suitable for use in a firewall, IDS(Intrusion Detection System) or server environment. There are several branches of the Sentry Firewall CD, each of which is based on a different Linux distribution. The original branch, called "SENTRYCD" is based on the Slackware distribution. -- Advantages -- There are several advantages of using a CDROM based system in various security related environments. The main system is centered around the ramdisk; a compressed file system image which is loaded at boot time. Any changes to the ramdisk image are temporary, and will be undone upon the next reboot. Furthermore the ramdisk, kernel, binaries, etc, related to the operating system are kept on read-only media(CDROM). This means that if the security of a machine running a CDROM based system is ever compromised a reboot is all that is needed to bring the machine back to its original state. So there is no real threat of having to go through the tedious task of rebuilding and hardening the system after a successful attack is discovered. Of course, if a successful attack does occur then the source of the compromise will, of course, need to be plugged immediately. If doing so requires a change of passwords, or a reconfiguration of the system, then the Sentry Firewall CD gives you the ability to do so via a configuration file. Otherwise, if it's a flaw in a necessary service, then the offending bug or binary will have to be patched and placed on a new CD. With a little understanding, a new ramdisk can be either crafted or mounted on a loopback device and edited. For updates in general, whether security related or not, one should be able to either retrieve a new CD or iso image from one of the project download sites or rebuild the CD manually - for which there are scripts on the CD to assist you in doing so. In the end, however, popping a new CD in the machine is generally quite a bit easier than a complete rebuild of the system. -- Booting --- The CDROM is designed to be a generic Linux system, suitable to boot in any x86 type machine where the BIOS supports it. Most newer BIOSes have the ability to boot the machine from a capable CDROM, but you may need to make adjustments to the system's BIOS in order for the CD-ROM to boot properly. The option to boot from a CD-ROM is generally not a difficult thing to adjust, however it is important to note that adjusting some settings within the BIOS may be dangerous and cause your machine to become unstable or perhaps even unusable. So if you're not familiar with adjusting BIOS settings yourself, please contact your computer manufacturer for instructions or have a professional do it for you. Otherwise, let's move on. Currently, the CDROM uses the isolinux.bin boot record to load the syslinux bootloader. Beta versions of the Sentry Firewall utilized the floppy disk emulation method, which required the creation of a 2.88MB floppy disk image that contained both the ramdisk and the kernel. The current isolinux method is much less limiting, allowing us to give the user a choice of multiple kernels, and the use of a larger ramdisk. More information in regard to the syslinux bootloader can be found at the following URL: http://syslinux.zytor.com/ There can be several Linux kernels on the CDROM that provide various functions or advantages. Help files and a brief description is available once the bootloader loads. You will have the opportunity to type the name for the kernel you wish to use, as well as pass parameters to the kernel, etc, once the "boot:" prompt appears. Pressing at that time will just boot the default kernel, called "SENTRY" which at the moment is a current Openwall(http://www.Openwall.com/) patched 2.4.x kernel. Several things I would like to note at this point: - The directory /boot/CONFIGS/ on the CDROM contains the .config files for the various kernels so you may see how they're configured. - All the scripts required to rebuild this cdrom(create ramdisk, iso image, etc.) are located in the directory /SENTRY/scripts/MK-CD, so you may build your own system, with your own default kernel/ramdisk if you like. WARNING: The scripts are not currently 'plug-n-play', that is, they're very hacky, and some familiarity with creating bootable CD-ROMs may be useful to use them properly. For more information about building a custom Sentry Firewall CD, please take a look at the HOWTO (http://www.SentryFirewall.com/files/HOWTO/). And, as usual, please read the disclaimer. ##-----------------------------------------------------------------------------------------## ## Useful Files Located on the CD-ROM -- /SENTRY/docs - /SENTRY/docs/README -- This file. - /SENTRY/docs/HOWTO/ -- The Sentry Firewall CD HOWTO. Highly Recommended Reading. - /SENTRY/docs/reference/ -- The Sentry Firewall CD Reference Guide. - /SENTRY/docs/DOCUMENTATION -- More technical documentation about the CD-ROM and scripts. - /SENTRY/docs/COPYRIGHT -- Copyright and Disclaimer information /SENTRY/images/* -- Floppy disk images containing default configuration files that can be customized and an example sentry.conf. /SENTRY/scripts/cd-config/ -- Contains the perl scripts used to configure the system. These can also be found in /etc/rc.d/SENTRY on the ramdisk. /SENTRY/scripts/firewall/ -- Contains various iptables firewall scripts. Please see the README file in that directory for more information. /SENTRY/scripts/MK-CD/ -- Scripts to assist one in creating a rootdisk, CD-ROM iso image, etc. /SENTRY/scripts/MK-CONFIG/ -- Scripts to automate the process of creating a basic boot floppy and sentry.conf file. /isolinux/ -- Isolinux(syslinux) related files. /isolinux/kernels/ -- Kernels available to boot. /isolinux/help/ -- Help files related to the kernels that can be displayed once the bootloader(isolinux) loads. /boot/CONFIGS/ -- Directory containing the .config files for the various kernels available on the CD-ROM. ##=========================================================================================## ## Thanks My thanks go out to the following people for providing invaluable feedback and support to this project: Guido Andreini Shannon Mann Peter Schilling Bastian Friedrich David A. Bandel Erik Williamson Hauser Marcel Kevin Verde Marcin Chojnowski Rory Vieira Stefan Andersson James Crouchet David Hawkins Jay . Engelbert Gruber Anyone I may have missed, let me know so I can add your name :-) ## _EOF_ ##